Commercial privacy systems utilize cryptographic algorithms to protect information and limit access thereto. A standard cryptographic algorithm is the Data Encryption Standard ("DES"). As such, cryptographic privacy systems permit individuals within an organization to encode plain text information into "cipher text" using a cryptographic key. Cipher text is mixed up and unreadable. In an encrypted computer system, cipher text characters may be any of the standard ASCII characters that are used in modern computer systems.
A cryptographic process which produces cipher text is reversible and through the use of the appropriate key which was used to encrypt the plain text, can be regenerated by a person having that key into the original plain text form. Except for being unreadable, cipher text can be stored and transferred and manipulated just like any other file or data. By keeping the key and the identity of the cryptographic algorithm a secret, the ciphered text is kept from being unscrambled.
In addition to the difficulties of encrypting and decrypting plain text, there is also the problem of designating which ones of a number of organizations and divisions within those organizations, as well as the particular people in those divisions, who can have controlled, controllable access to written information and on-line communications. Obviously, a unique key can be used for each particular text and each particular use of that text. However, this gives rise to a tracking process that must be applied in order to keep track of the unique keys. This function or role is called key management. It can be manually intensive and it certainly affects organizational performance. Thus, key management is often the most costly part of an organizational security system.
The value of the performance of a key management system is the value of important organizational information reaching the right people at the right time in the right way. When there are a number of large groups of people communicating private or sensitive information that needs to be protected, tracking which of each of the unique keys that is used, by whom used, and the rationale for the use of a particular key is a difficult part of the key management process.
As a result of the complex array of keys necessary for such a large number of people divided into different, often overlapping, and often changing groups, who communicate for divergent reasons through many dynamic multi-media methods, key management is made extremely difficult if not nearly impossible. Additionally, the tracking of the key represented a simple assignment process of assigning a particular key to a project or to a particular station with no verification of the justification of the creation, generation or use of that key. In other words, once a key is generated, the reasons for its generation are often lost. It is just this independent tracking of keys which makes the conventional key management systems extremely difficult to maintain.
Thus, there is a need for a key management system which will not only keep track of the keys which are used with a particular message, but will also maintain the justification for the use of that key and the justification for the different categories of personnel access and the criteria used for selecting the communications system.
The principle problems with the use of traditional cryptographic systems today concerns their use that is associated with the context, intent and sensitivity of the information being distributed and stored using modern desktop multi-media methods. However, because the skill of the user of the information is usually non-technical, a very simplified, computerized system is needed to accomplish these purposes. The data or information being transmitted may have a substantial representation of rationality, but is incomplete because it can only convey self-referenced and internal information. The data may also not be complex enough to provide external references necessary for communicating the inferential components that provide the reason for the data and communication. There is thus also the need for a means to apply external rationalization for the purposes and use of the data or information.
In today's communication environment, a desktop multi-media system generates a very large amount of information, much of which may be sensitive, and all of which needs to be passed through inter-organizational networks and intra-organizational subnetworks. To some degree, all organizations require the compartmentalization of different types of information. The organizations have requirements for multi-level access to some or all of the sensitive information and the concept of that access usually involves a consideration of the need and capability of an individual to access the particular information. On the other hand, any information access limiting system cannot be so cumbersome or difficult to use that as a minimum discourages the use or access of the information and at the maximum prevents its access and utilization.
There is thus the need for an object oriented key management philosophy in which the data or information carries with it its reason for being and the rationale for access to it. This is sometimes called the need for a secured signature of the rational link between the key used in the algorithm and the cipher text product or its use.
Standard cryptographic privacy systems are traditionally based on manually indexed associations between an irrational key and often some narrow reason for its use. Keys are chosen from essentially random numbers and are used to initialize pointers in a cryptographic algorithm. Often, such keys are generated by a random number generator and are not known to the user, but are instead buried in the particular computer program which that user is using. Obviously, this type of system has the disadvantage in that the key is integral to the system which is generating or transmitting the data or information. By using an irrational key, that is a key comprised of characters which together have no meaning, it is very difficult to keep track of the reason for the existence of that key. With time, associated with situational conditions, the association between the reasons for the generation of the key and the data degenerates.
Furthermore, cryptographic keys are usually managed under systems that generally provide only a static distribution means. Keys are reused for significant periods of time for many reasons and for many types of messages. Traditional privacy systems are periodically secured, but not transactionally secured. This results in the privacy keys remaining the same for each message passed through a communications node during a defined period of time. Sometimes, keys are expected to be used from 180 days to years, during which time all messages stored or moved use the same key. During this period windows of opportunities exist to exploit "protected" traffic, if one obtains the correct key(s).
Closely associated with the concept of keys is the concept of passwords, passphrases, and labels. Whereas many cryptographic systems utilize irrational numbers for keys, other systems use as an input a password or passphrase which is then encoded, manipulated, or translated into a key. Passwords and phrases are usually in the form of words or a number of words which have a rational meaning and thus are easy to remember. In addition, because they can be longer strings of characters, they have a cryptographic advantage because there are more characters to work with. For example, a passphrase can be simply "The rain in Spain" which is concatenated to be "THERAININSPAIN." On the other hand, a password could just be the word "Spain" or "rain". Because passwords and passphrases have meaning, as indicated above, they are called or defined at least herein as being "rational." On the other hand, bank accountant numbers and a group of numbers and letters randomly generated (e.g. OX342PN17) are called or defined at least herein as being "irrational" because they have no internal meaning.
The prior art is replete with cryptographic data management systems which attempt to address one or more of the foregoing problems. Generally however, none of these references totally satisfies the requirements of modern communications with a large number of messages, a large number of senders and receivers, a large number of places to which the messages are sent, and an efficient and easy to use tracking system. Furthermore, these references also generally do not address the problem of regulating user access to the data in an efficient, yet secure way. Example of such prior art references are mentioned below and are incorporated herein by reference. Such references also disclose background information relevant to the present invention.
The United States Pond et al U.S. Pat. No. 4,864,616 discloses a method of cryptographically labelling electronically stored data in which a plurality of key streams are utilized. An encryption and decryption method utilizes reproducible mathematical functions such as an EXCLUSIVE OR mathematical methodology and incorporates a label that contains encrypting and decrypting information which is added to the header of the file. The label is also used for controlling access to the file and verifying the integrity of the file. The patent also discloses encrypting and decrypting the labels separately from the file itself.
A similar cryptographic system is disclosed in the Preston et al U.S. Pat. No. 5,052,040. This patent discloses a system and method of utilizing a plurality of labels that includes the configuration that the file was created on, the owner of the file, the machine that it was created on, and any special algorithms that may be used on the files. The label also contains a plurality of unique I.D.'s for each of the users that has access to the file. Obviously, such a system would have limitations where there was a large number of users. As in the Pond et al patent mentioned above, the method and system of the Preston et al patent encrypts the label information.
There are many methods that are available for reversibly altering a key or label. A common method is to use the EXCLUSIVE OR function, sometimes referred to simply as the XOR function. The Smith, Sr., et al. U.S. Pat. No. 5,214,698 discloses putting a key into multiple parts which are XORed of a key part with a proper control vector.
The United States Patents to Greenberg U.S. Pat. No. 5,220,606 and to Matyas et al. U.S. Pat. No. 4,993,069 disclose cryptographic techniques which utilize control vectors or labels for use with encoding keys or for controlling access to the system.
A recently issued United States patent to the present inventor U.S. Pat. No. 5,369,707 discloses a somewhat different key management rational that utilizes a separately encrypted header which in turn contains routing information about the message. The header is also used to generate a key used in the encryption-decryption process.